TL;DR
- The federal compliance floor in 2026 is the Telephone Consumer Protection Act at 47 U.S.C. § 227, the FCC’s implementing rules at 47 C.F.R. § 64.1200, and the seller-specific consent framework hardened by the FCC’s 2023 Lead Generators Order and the 2025 reconsideration proceedings.
- The FCC’s revised opt-out rules — including the “revoke-all” provision requiring a single revocation request to terminate consent across all messaging from the same business — were delayed by the Commission’s April 7, 2025 order and now take effect April 11, 2026 for most operative provisions, with full implementation of the cross-channel revocation requirement extended into 2027.
- State mini-TCPAs in Florida, Washington, Oklahoma, Maryland, and a growing number of other jurisdictions impose obligations that operate parallel to the federal regime, with private rights of action and statutory damages that the federal framework does not preempt.
- The consent record that survives a 2026 complaint is not a database row. It is a rendered disclosure, an affirmative consumer action, an immutable timestamp, a named seller, and an unbroken chain of custody to the number actually dialed.
- The two recurring failure modes in 2026 litigation are seller-specific consent gaps (consent collected for one seller but used by another) and documentation gaps (consent collected but not authenticatable three years later). The checklist below addresses both.
Overview: What Changed Heading Into 2026
Lead generation compliance in 2026 is not the same problem it was in 2022. Three structural shifts have reshaped the operational requirements every buyer and publisher should re-baseline against this year.
The first is the FCC’s seller-specific consent regime. The Commission’s 2023 Targeting and Eliminating Unlawful Text Messages order, codified at 47 C.F.R. § 64.1200(a)(10), eliminated the long-standing “marketing partners” workaround under which a single consent could authorize calls or texts from an unbounded list of downstream sellers. The 2025 reconsideration proceedings refined but did not retreat from the seller-specific principle: consent must identify the seller by name and the goods or services being offered, and consent to one seller is not transferable to another.
The second is the FCC’s revised opt-out framework. The Commission’s February 2024 Strengthening the TCPA’s Consumer Protections rules introduced a revoke-any-reasonable-method standard and a “revoke-all” rule under which a single revocation request must terminate the caller’s authority to send any further calls or texts to that consumer across all programs and channels. The Commission’s April 7, 2025 order delayed the operative date of several of these provisions to April 11, 2026, and pushed the full cross-channel implementation of the revoke-all rule further into 2027. The substantive obligation is now live for the 2026 calendar; the implementation timeline is what shifted.
The third is the maturation of state mini-TCPA litigation. Florida’s Telephone Solicitation Act, Washington’s Commercial Electronic Mail Act, Oklahoma’s Telephone Solicitation Act, and Maryland’s Telephone Consumer Protection Act have generated a parallel docket of lead generation cases in which the federal TCPA framework is not the operative cause of action. Plaintiffs in those forums are not constrained by federal consent doctrine, and class certification standards differ.
These three shifts are the backdrop against which every compliance checklist should be re-evaluated this year.
Section 1: Federal Foundation — TCPA and FCC Rules
The federal baseline applies to every lead generation program that touches the U.S. consumer phone network.
Express Written Consent Under § 64.1200(f)(9)
For autodialed or prerecorded telemarketing calls or texts to a mobile number, the operative requirement is prior express written consent under 47 C.F.R. § 64.1200(a)(2). The four-element definition at § 64.1200(f)(9) requires the agreement to:
- Be in writing, including electronic signatures recognized under the E-SIGN Act at 15 U.S.C. § 7001.
- Bear the signature of the consumer.
- Include a clear and conspicuous disclosure authorizing the named seller to deliver autodialed or prerecorded telemarketing calls or texts.
- Make clear that consent is not a condition of purchase.
A 2026 consent capture that misses any of the four elements is a losing fact pattern in litigation. Bradford v. Sovereign Pest Control of Texas, Inc., No. 4:18-cv-00197 (S.D. Tex. 2019), is one of the canonical examples — the defendant could produce the form HTML but not what the consumer actually saw on screen, and summary judgment on the consent defense was denied.
Seller-Specific Consent
The seller-specific requirement is the most operationally disruptive piece of the current rule. Consent given to Publisher X to be contacted by Seller A does not authorize calls from Seller B, even if Seller B paid Publisher X for the same lead. The 2023 Lead Generators Order explicitly closed the “marketing partners” workaround, and the 2025 reconsideration proceedings did not reopen it.
Operationally, this means:
- The disclosure presented to the consumer at the moment of opt-in must name the specific seller or sellers who will receive the consent.
- Lead resale to a seller not named in the original disclosure does not transfer valid consent — it requires a fresh consent capture against the new seller.
- Co-registration paths that route a single submission to multiple sellers require either a per-seller affirmative action or a disclosure that names each seller specifically.
The federal rule does not impose a numerical cap on how many sellers can share a single disclosure, but courts have shown declining tolerance for disclosures that name a dozen or more sellers in a way that no reasonable consumer would read or remember.
Revocation and the Revoke-All Rule
The revised § 64.1200(a)(10) opt-out framework, effective in stages through 2026 and 2027, requires:
- Honoring revocation requests made by any reasonable method, including reply STOP messages, verbal revocations on a live call, and revocation requests submitted through any of the caller’s customer-facing channels.
- Treating a revocation request as terminating consent across all categories of messaging from the same business — the “revoke-all” rule — unless the consumer has affirmatively scoped the revocation more narrowly.
- Processing revocation requests within a reasonable time, which the FCC has indicated should not exceed ten business days, and within forty-eight hours for SMS opt-outs in practice.
The internal-DNC rules at § 64.1200(d) survive on top of the revoke-all framework: written policies, employee training, do-not-call list maintenance for five years, and honoring opt-outs across affiliates as a matter of policy regardless of consent ownership.
Calling Hours and Time-of-Day Restrictions
The federal calling-hour restriction at § 64.1200(c)(1) prohibits telemarketing calls before 8 a.m. or after 9 p.m. local time of the called party. State analogues — most notably Florida and Oklahoma — impose narrower windows for SMS specifically, and several states prohibit Sunday calls or texts altogether.
Federal Foundation Checklist
- All call and text marketing programs operate under prior express written consent that satisfies the four-element § 64.1200(f)(9) test.
- Disclosures name the specific seller or sellers who will receive the consent; co-registration paths use per-seller affirmative actions where multiple sellers are involved.
- Consent records capture the rendered disclosure exactly as the consumer saw it, not just the underlying form template.
- Revocation handling honors STOP messages, verbal revocations on live calls, and revocations through any customer-facing channel.
- Revocations are treated as terminating consent across all messaging programs from the same business unless narrowly scoped.
- Calling hours respect the federal 8 a.m. to 9 p.m. window in the called party’s local time, plus tighter state windows where applicable.
- Internal-DNC policy, training, and recordkeeping under § 64.1200(d) are documented and operational.
Section 2: State Mini-TCPAs and Multi-State Programs
The federal floor is no longer the binding constraint in several jurisdictions. Lead generation programs that operate across state lines must classify each campaign against the controlling state framework.
Florida: The FTSA
Florida’s Telephone Solicitation Act, Fla. Stat. § 501.059, requires prior express written consent for telephonic sales calls placed using automated systems, including text messages. The 2021 amendments established a private right of action with statutory damages of $500 per violation, treble damages for willful violations, and a broad definition of “automated system” that captured most modern dialer and SMS platforms. Subsequent legislative refinements narrowed the definition somewhat, but Florida remains one of the most active forums for lead generation litigation in the country.
Washington: CEMA
Washington’s Commercial Electronic Mail Act, RCW 19.190, applies to text messages and email and has been used in lead generation disputes when leads originating from Washington residents are routed to autodialed SMS campaigns. The private right of action and damages provisions make Washington a regular forum for SMS-focused class litigation.
Oklahoma: The TSA
Oklahoma’s Telephone Solicitation Act, Okla. Stat. tit. 15, § 775C.1 et seq., substantially mirrors the Florida FTSA structure and has generated a parallel docket of lead generation cases since its 2022 enactment. The Oklahoma statute applies to calls and texts placed to Oklahoma-resident phones regardless of where the caller is located.
Maryland and Beyond
Maryland’s TCPA at Md. Code, Com. Law § 14-3201 et seq. adds jurisdiction-specific obligations on disclosure language and time-of-day restrictions. New York, New Jersey, and a growing number of other states have either enacted or proposed mini-TCPA statutes that add a state-law layer to the federal framework.
The practical implication for multi-state programs is that compliance counsel needs a current map of which state statutes apply by consumer residence, which states impose tighter time-of-day restrictions, and which states have private rights of action that could support standalone class certification.
State Mini-TCPA Checklist
- Lead consumer residence is captured and retained as a structured field, not inferred from area code.
- Lead routing rules apply the strictest applicable state framework based on consumer residence, not caller location.
- Florida, Washington, Oklahoma, and Maryland consents satisfy the more restrictive state-level disclosure requirements where applicable.
- Time-of-day rules respect state-specific windows where they are tighter than the federal 8 a.m. to 9 p.m. range.
- Class-litigation exposure under state mini-TCPAs is part of the program risk model, not folded into TCPA exposure as a single line item.
Section 3: Vertical-Specific Overlays
Several verticals carry compliance obligations that extend beyond the TCPA.
Medicare and Medicare Advantage
Medicare marketing is governed by CMS regulations at 42 C.F.R. §§ 422.2260–422.2276 and 423.2260–423.2276 in addition to the TCPA. The agent-of-record rules, the Scope of Appointment requirement under § 422.2264, and the ten-year call-recording requirement create a parallel compliance regime that the TCPA framework does not address.
Mortgage and Financial Services
Mortgage and consumer lending leads carry CFPB obligations under the Truth in Lending Act, RESPA, and Regulation Z that interact with TCPA consent capture. The Mortgage Acts and Practices Rule (Regulation N) at 12 C.F.R. § 1014 layers UDAAP exposure on top of TCPA exposure for misleading advertising claims in lead acquisition.
Insurance
State Department of Insurance advertising rules apply on top of the TCPA. The NAIC’s Producer Licensing Model Act and the suitability-in-annuity-transactions framework extend further into how leads can be sourced and used in particular lines. For Medicare Advantage and Medicare Supplement programs, the CMS regime layers on top.
Healthcare and HIPAA
Healthcare leads — particularly lead programs that capture diagnostic information, prescription data, or condition-specific intake — trigger HIPAA obligations under 45 C.F.R. Parts 160 and 164 when the lead generator is acting as a business associate of a covered entity. The TCPA’s healthcare exception is narrow and does not apply to most marketing scenarios.
Solar and Home Services
Solar, roofing, HVAC, and remodeling have all become litigation-intensive verticals under the TCPA. State licensing requirements for contractors add an additional layer in many jurisdictions, and several state attorneys general have brought enforcement actions against solar marketing in particular over the past three years.
Vertical Overlay Checklist
- Each campaign is classified against the vertical-specific regulatory regime that controls in addition to the TCPA.
- Medicare campaigns satisfy CMS Scope of Appointment, agent of record, and call-recording obligations on top of the TCPA proof requirement.
- Mortgage and consumer lending campaigns satisfy Regulation N and UDAAP standards on lead acquisition advertising.
- Insurance campaigns satisfy state DOI advertising rules in addition to the TCPA framework.
- Healthcare lead programs assess HIPAA business-associate status and structure capture and storage accordingly.
Section 4: Consent Capture and Documentation
The single most consequential operational area in 2026 is what gets captured at the moment of opt-in. A consent record that satisfies the FCC’s substantive rules but cannot be authenticated in litigation is functionally worthless.
The Five Elements of a Defensible Record
Every defensible consent record reduces to five fixed elements:
- The rendered disclosure — the exact text, visual context, and form state the consumer actually saw at the moment of opt-in, not the form template or the current version in the CMS.
- The affirmative consumer action — a DOM event corresponding to the consumer’s checkbox, button click, or signature input, distinguishable from automated submission.
- An immutable timestamp — a time anchor that cannot be retroactively altered, with sufficient resolution to sequence the consent against subsequent records.
- A named seller — explicit identification of the seller authorized by the consent, captured as a structured field, not inferred from form context.
- An unbroken chain of custody — a verifiable record path from the consent event to the phone number ultimately dialed, with no points where the record can be substituted or edited without trace.
Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017), reinforced that consent must be commensurate with the scope of the communications it authorizes. The five-element record is what makes that scope provable later.
Capture Specification
A 2026-grade capture specification goes beyond form-builder defaults:
- Snapshot the rendered disclosure at the moment of submission, including font size, position, and state of any affirmative-action elements.
- Capture the page URL, A/B test variant, and any UTM or campaign identifiers as structured metadata.
- Record DOM-level interaction telemetry sufficient to distinguish human from automated submission.
- Capture an independent timestamp sourced from a trusted time authority, not the form server.
- Generate a content hash of the rendered disclosure at capture time and persist it as part of the record.
Storage Architecture
Storage architecture determines whether a record is admissible three years later:
- Use write-once or append-only storage for consent records. Mutable database rows are not defensible evidence.
- Persist consent records in a system separate from the operational systems that route, sell, or contact the lead. Co-located storage creates the appearance of opportunity for retroactive editing even when no editing occurred.
- Retain consent records for the full statute of limitations plus a buffer. Four years federally is the floor; five years is a reasonable working standard; seven years is safer in regulated verticals with longer state limitations or CMS recordkeeping requirements.
Capture and Documentation Checklist
- Consent capture records the rendered disclosure as the consumer saw it, not just the form template.
- Affirmative action is captured as a discrete event with timestamp and DOM-level metadata.
- Timestamps are independently sourced and resistant to retroactive alteration.
- Named seller is captured as a structured field tied to the specific disclosure presented.
- Chain of custody from consent event to dialer record is verifiable through stored telemetry.
- Storage is write-once or append-only and separated from operational lead routing systems.
- Retention extends at least four years federally, with longer retention for state mini-TCPA jurisdictions and CMS-regulated verticals.
Section 5: Buyer-Side Due Diligence
Buyers carry the proof burden under the TCPA. The diligence checklist that protects a buyer in 2026 looks very different from the procurement checklist that satisfied an audit in 2022.
Procurement Diligence
- Publisher provides sample consent records that include the rendered disclosure, not just summary certificates or database extracts.
- Disclosure language is reviewed against the four-element § 64.1200(f)(9) test for every campaign the buyer will receive leads from.
- Seller-specific identification language is verified for each campaign — the buyer’s legal entity name must be present in the disclosure that consumers actually see.
- Publisher’s retention policy meets or exceeds the buyer’s litigation-response requirements.
- Sub-publisher and affiliate visibility is contractually required, not aspirational.
Contractual Requirements
- Indemnification covers TCPA, state mini-TCPA, and vertical-specific exposure where applicable.
- Audit rights extend to underlying consent records, not just summary reports.
- Notification obligations require the publisher to surface known consent-record gaps before the buyer relies on the leads downstream.
- Termination and clawback rights apply when the publisher cannot produce a complete consent record for any specific lead.
Operational Diligence
- Lead intake verifies the presence of the five record elements before the lead is routed to a dialer.
- Litigator and complainant scrub runs before contact, not after.
- Internal-DNC matching runs against the buyer’s consolidated list, not just the publisher’s.
- Revocation records flow back upstream to the publisher when consumers opt out post-contact.
Section 6: Operational Hygiene for 2026
The final checklist captures the operational practices that distinguish programs that survive litigation from those that do not.
Operational Hygiene Checklist
- Compliance review is run at least annually against the current FCC rule text, not a cached version of a prior consultant deliverable.
- Disclosure language is versioned at the rendered level, with snapshots persisted as part of the consent record.
- State residence determination is structured and verifiable, not inferred from area code.
- Revocation handling is logged with audit trail showing the request, the channel, the timestamp, and the propagation to all downstream systems.
- Litigator and complainant scrub is run continuously against current lists, not at fixed intervals.
- Internal-DNC is consolidated across all program affiliates and applied uniformly.
- Sub-publisher and affiliate consent practices are audited on a sampling basis, with rendered-disclosure spot checks rather than attestation-only.
- Litigation-response playbook identifies who pulls the consent record, how, and how quickly — measured in hours, not weeks.
Key Takeaways
The TCPA framework that controls in 2026 is more demanding than the framework that controlled three years ago. The seller-specific consent regime under the 2023 Lead Generators Order and the 2025 reconsideration proceedings closes operational shortcuts that older programs relied on. The revised opt-out and revoke-all rules under the February 2024 amendments — delayed in stages by the FCC’s April 2025 order — change how revocation propagates across messaging programs in ways that legacy systems often cannot accommodate without rework.
State mini-TCPAs in Florida, Washington, Oklahoma, Maryland, and a growing list of other jurisdictions operate in parallel to the federal framework, with private rights of action and damages structures that make state forums independently attractive to plaintiffs.
The decisive operational question in 2026 is not whether a program captures consent. Every program captures something. The decisive question is whether the record captured will authenticate three years later — rendered disclosure, affirmative action, immutable timestamp, named seller, unbroken chain of custody. Programs that engineer for that standard survive the litigation that programs designed for procurement-audit compliance do not.
The checklist above is a working baseline. Compliance counsel should adapt it to the specific verticals, jurisdictions, and risk posture of each program — but the structural elements are stable, and the gaps between this baseline and an actual program are what most TCPA litigation now turns on.
Read more on what makes a consent record defensible in Proof of Consent: What TCPA Actually Requires (And What Courts Accept), or see the publisher-side capture spec in Lead Consent Documentation: What to Capture, Store, and Prove. For vertical-specific guidance, see Insurance Lead Compliance: A Guide for Buyers and Publishers and How to Buy TCPA Compliant Leads: A Buyer’s Checklist.